Skip to main content

Sensitivity labels and information protection rules

  • Updated
  • Reading time: —

Article published on the 3rd of April, 2025.

1. Introduction

Sensitivity labels in Microsoft 365 are a feature of Microsoft Purview Information Protection that allow organizations to classify and protect data based on its sensitivity. These labels can be applied to, Sharepoint sites, Office 365 groups, documents, and more to enforce security and compliance policies automatically.

Key features of sensitivity labels include: 

  • Data Classification: Labels help in categorizing data based on its sensitivity.
  • Encryption: Protects data by encrypting it, even when it's shared outside the organization.
  • Content Marking: Adds headers, footers, or watermarks to documents to visually indicate the sensitivity.
  • Access Controls: Restricts who can view or edit the content based on the label applied.
  • Integration: Works across Microsoft 365, ensuring consistent protection of data across services. 

By using Sensitivity Labels, organizations can ensure that sensitive information is handled appropriately, reducing the risk of data breaches and ensuring compliance with regulatory requirements. 

In WorkPoint 365, sensitivity labels can automatically be applied to sites, Office 365 groups, as default sensitivity label on Document libraries just like permissions using WorkPoint security rules, and optionally based on activation conditions.

An example without the use of activation conditions could be to always apply an "Internal" sensitivity label to sites for entities in a Human Resources module.

Another example of application using activation conditions could be applying the "Secret" sensitivity label to projects depending on metadata in a field, e.g., a "Classification" choice field with "Public" and "Secret" choices.

Sensitivity labels are part of a very large functionality suite in Microsoft. For more information about sensitivity labels, please visit this article and this article from Microsoft to familiarize yourself with the concepts and what sensitivity labels can do. We will not be going through how to enable and set up sensitivity labels inside Microsoft Purview in this article. For information on how to enable sensitivity labels for files in SharePoint and OneDrive, visit this article.

Note that Sensitivity label functionalities operate as an additional layer of security to WorkPoint 365 and SharePoint security rules. This means that even if a user has access to content based on WorkPoint's security settings, they will still be unable to view it if a sensitivity label imposes restrictions that they are not authorized to bypass. In effect this means that to gain access to a given element, the user needs both permissions to view the element in Sharepoint, and by sensitivity label policies applied to the element.

2. Requirements

Note that the following requirements may be subject to change as Microsoft updates their license structures and contents.

1. Microsoft 365 E5 or E3 with Compliance Add-on: 

  • Full access to Sensitivity Labels, including advanced features like automatic labeling, document encryption, and protection across all Microsoft 365 services (SharePoint, OneDrive, Teams, and Exchange), requires a Microsoft 365 E5 subscription. 
  • Organizations with a Microsoft 365 E3 subscription can access Sensitivity Labels with the purchase of a Compliance Add-on, which provides many of the same features as E5. 

2. Azure Information Protection (AIP) Plan 1 or Plan 2: 

  • Sensitivity Labels are also included with Azure Information Protection Plan 1 or Plan 2. Plan 1 provides basic labeling and protection features, while Plan 2 offers advanced capabilities, such as automated classification and protection based on content. 

3. Limited Access in Lower-Tier Licenses: 

  • Basic labeling capabilities may be available in lower-tier licenses (e.g., Microsoft 365 Business Standard), but these do not include the full range of features, such as automatic labeling or integration with DLP policies, and setting labels using APIs. 

4. Tenant-Wide Activation: 

  • To use Sensitivity Labels across SharePoint and OneDrive, organizations must enable AIP integration, which also requires at least one user with Entra ID P1 or P2. 

3. Getting started with sensitivity labels

For the best start using sensitivity labels in general, WorkPoint recommends you read and follow the official Microsoft getting-started article, which you can find here.

4. Setting up information protection rules

Information protection rules control which sensitivity labels to apply to different areas of the WorkPoint solution. They are set up per business module in the Security settings page.

To set up an information protection rule, follow these steps:

  1. On the WorkPoint 365 administration dashboard, click the header of the business module for which you want to set up a new information protection rule.
  2. In the business module menu, click "Security Settings".
  1. On the Security Settings page, scroll down to the "Information protection rules" section and click "Add information protection rule". This opens the following page where you can configure a new rule:
  1. Using the "Active" checker, you can activate or deactivate the specific information protection rule. Only active rules will be applied by WorkPoint.
  2. In the "Scope" drop down menu, you can select to which location type this specific information protection rule should apply. There are three options:
  • Document Library: Select this option if this rule should target a document library on a business module entity site (e.g., Documents or Emails). This sets the default sensitivity label on the document library.
  • Office 365 Group: Select this option if this rule should target the Office 365 group associated with a business module entity
  • Site: Select this option if this rule should target the site of a business module entity

Depending on your selection in the Scope field, the additional configuration fields change.

Document Library:

If the Document Library scope is selected, the specific document library you want to target using this information protection rule must be selected. Only libraries that exist on the Master site of the business module can be selected.

Additionally, the sensitivity label you want to apply to the selected library must be selected. The list of sensitivity labels shows only published labels which target libraries. Here, we have exemplified the usage of the "Public" label, applied to the "Documents" library:

It's important to note that the sensitivity label selected here will be applied as the default sensitivity label on the selected document library, and items created in the library will inherit this label by default.

Office 365 Group:

If the Office 365 Group scope is selected, you only need to select the sensitivity label you want to apply to Office 365 groups associated with the entities within the business module, here exemplified using the "Secret" label:

Note that to use the Office 365 Group scope, you must set up a Service User account, which can be done in the Process Builder in the "Connections" menu.

Site:

If the Site scope is selected, you only need to select the sensitivity label you want to apply to sites within the business module, here exemplified using the "Public" label:

4.1. Activation conditions

Information protection rules can be applied using activation conditions.

The Security Settings page includes a section called "Activation conditions for security rules":

If the Mode selector is set to "Always", all information protection rules (and security rules) are always applied by WorkPoint. If it set to "Simple", all rules are applied by WorkPoint is a single activation condition is fulfilled. If it is set to "Advanced", each rule can be specified to be applied when a given activation condition is fulfilled.

If the Mode is set to "Simple", another selector below the Mode selector appears, in which you can select an activation condition to base the application of rule on:

As mentioned, if the Mode is instead set to "Advanced", each individual rule can be applied depending whether a specified activation condition is fulfilled.

The following image shows a configuration of a security rule when the Advanced activation condition mode is selected:

In this example, we have set up an activation condition called "Project is secret", which is true if a classification field on the Projects module is set to "Secret". If this activation condition is fulfilled, the "Secret" sensitivity label will be applied to the site of the given entity.

5. Inspecting sensitivity labels on elements

The following sections show how you can inspect which sensitivity labels are applied to various types of elements.

Keep in mind that the rules and activation conditions described in the article are meant to set the sensitivity label automatically.

5.1. Sites

The sensitivity labels applied to SharePoint sites (and WorkPoint sites) can be viewed in the SharePoint Administration portal:

  1. Search for and click the name of the SharePoint site you want to inspect.
  1. In the "Settings" tab, you can see the applied sensitivity label in the "Sensitivity label" section.

5.2. Office 365 groups

You can inspect the sensitivity labels applied to Office 365 groups in the Microsoft 365 Administration portal:

  1. Search for and click the name of an Office 365 group on the "Active teams and groups" page.
  1. In the "Sensitivity label" section, you can inspect the currently applied sensitivity label.

5.3. Document libraries

You can inspect the default sensitivity label applied to a Document Library in the library settings:

Documents saved into or created in the library inherits this label, which can be inspected by viewing the document's details:

  1. Right-click the document you wish to inspect.
  2. In the options menu, click "Details".
  1. In the Details panel, you can inspect, and even set the currently applied sensitivity label if you wish to apply a different one than the default.

Alternatively, you can inspect and set the sensitivity label inside the document:

  1. Inside Outlook Online, click the header of the document and inspect/set the sensitivity label.

6. Example configuration

In this section, we will go through an example configuration for information protection rules on a Project Management solution. Specifically, we will set the system up so that we can classify projects as either public or classified. If we classify a project as classified, we want to apply the "Secret" sensitivity label to the entity site, and we also want the Secret label to be the default label for the project's document libraries.

It's important to note that using WorkPoint's information protection rules with Site scope, only the actual entity sites will get sensitivity labels applied to them - not the entity item itself.

To facilitate this example, we have two business modules; Customers and Projects.

On the Projects business module, we have added a custom Choice field called "Classification" with two options; Public and Classified. This field is shown in the following image:

In this instance, the Master project is classified as Public. From here on, the Master entity will be hidden on the view.

In the Security Settings page for the Projects module, we have set the Activation condition Mode to "Advanced", and we have also created an activation condition for when projects are classified as "Classified", as shown in the following image:

The "Advanced" Activation condition mode makes it possible for us to define which activation condition to use for each information protection rule. In this instance we only have one activation condition, but in other cases you may need to work with multiple rules requiring various activation conditions.

Next, we have created three information protection rules, as shown in the following image:

All the information protection rules use the same activation condition, meaning they will all activate if a project is created with the "Classified" option.

The first rule applies the "Secret" sensitivity label on the entity site itself.

The second and third rules apply the "Secret" sensitivity label as the default label to the Documents and Emails document libraries on the entity site.

In this demonstration we have not created rules for Office 365 groups, as we are not using the Teams integration for projects.

These activation conditions and information protection rules creates the following behaviour.

In the image above, we provide metadata for a new project using the "Classified" option in the classification field.

When the project is created, it appears in the Projects business module:

In the SharePoint administration, we can find the site and check if the "Secret" sensitivity label has automatically been assigned to it by our Information Protection rule:

Next, let's take a look at t he default sensitivity label on the Documents library on the project:

Finally, in the Documents library on Project Blue, let's create a new document:

Already upon creation of the document, the "Secret" sensitivity label is applied by the Information Protection rule:

If we want, we can show the "Sensitivity" column on the Document Library to display the sensitivity label applied to the documents:

7. Supported file types

Only certain file types are supported by Sharepoint for labeling. WorkPoint does not extend this list of file types, and thus only the following files types can be labeled automatically in WorkPoint even if a default sensitivity label is set for a document library:

  • Word: .docx, .docm, .dotx, .dotm
  • Excel: .xlsx, .xlsb; .xlsm, .xltm, .xltx
  • PowerPoint: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm

You can read more in the this article.

Was this article helpful?
0 out of 0 found this helpful

Related articles

Comments

0 comments

Please sign in to leave a comment.